Folks,
Here is my current configuration.
Server - ESXi 4.1 - IP 10.10.20.51. Has just one NIC card.
One VM set up with 3 static IP addresses 10.10.20.52, 10.10.20.53, 10.10.20.54. The VM is running 3 different websites on different IP addresses.
I now need to put the ESXi Server in DMZ zone such that the VM can deal with three external IP addresses, say, 60.60.60.21, 60.60.60.22 and 60.60.60.23.
I am wondering if all I need to do is just change the IP addresses within the VM. Or, do I need to reconfigure something on the ESXi Server as well?
Thank you in advance for your help.
Regards,
Peter
I forgot to add one more thing.
Or, can I simply put the VM itself in the DMZ zone? I like this solution better if it works.
Regards,
Peter
Even though you could do this using VLANs, I'd suggest you add another NIC and use one NIC for the management network of the ESXi host itself and the second NIC for your DMZ VM network.
André
You don't want to put the ESXi management IP in the DMZ. Ideally you'll add NIC ports and create a new vSwitch. The NIC port(s) in this vSwitch will be connected to your DMZ and you'll add a virtual machine port group to the DMZ vSwitch. Then you'll edit the VM's network connection to attach to the DMZ port group. That wil provide your VMs DMZ connectivity (and i'm assuming you'll have a firewall in front of these VMs. Your management IP address for ESXi can stay as is. ESXi doesn't require a management IP on the DMZ vSwitch.
Create a new network (vmDMZ) attach the physical nic assigned to this vmDMZ to DMZ. Attach the VM that needs access to the DMZ with this vmDMZ.
dmz->vmDMZ<-VM
Morning Peter,
I really can not recommend highly enough that you get extra NICs in this host, for security reasons.
you want to physically segregate the VMs from the storage and management.
Either way, any of the above options is valid.
there is a very good whitepaper on VMware in the DMZ available at:
http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf
This will run your through the 3 options to consider. I'd get your networks and security teams on board though to discuss the options.
If you are unable to get budget for another NIC, but already have firewalls in place, consider some sort of a Natted arrangement